CVE-2026-40213

CVE Database · CVE-2026-40213

CVE-2026-40213

· HIGHAwaiting Analysis

CVSS v3.1

7.4

EPSS

0.21%

Published

May 7, 2026

Modified

May 8, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Weaknesses (CWE)

CWE-863

References (3)

https://bugs.launchpad.net/openstack-cyborg/+bug/2143263

https://security.openstack.org/ossa/OSSA-2026-011.html

https://www.openwall.com/lists/oss-security/2026/05/07/6

KEV Catalog EPSS Scores Vendors All CVEs